These volumes can also be identified by a GUID: The signature of " -FVE-FS-" can be found at the beginning of bitlocker encrypted volumes. A disk encrypted by bitlocker is different than a normal NTFS disk.
I'm going to take a list of popular tools and standards and see if they leave any traces with which we can determine that they've been used:īitlocker is a full disk encryption standard available on windows operating system from Windows 7 onwards this tool uses AES256 to encrypt the disk. EnCase) that help us detect the schemes and programs used to encrypt the disk. There are documented forensics methods and software (e.g. We have two types of encryption here, "file based encryption" and "full disk encryption".
0 kommentar(er)
